Suppose you are on a jury in a case about tax evasion. What would you think of a defence on the lines: “the accused did not seek to circumvent the law”? Would you accept this statement and return a not-guilty verdict?
Well this, in summary, is what the Intelligence and Security Committee (ISC) has done. In its press release associated with its report ‘Privacy and Security: A modern and transparent legal framework’, the ISC states: “The UK’s intelligence and security agencies do not seek to circumvent the law”. I think this is just the kind of comment that is intended to reassure but does the precise opposite.
The ISC also confirmed that “GCHQ require access to internet traffic through bulk interception primarily in order to uncover threats”. However “while GCHQ’s bulk interception capability may involve large numbers of emails, it does not equate to blanket surveillance, nor does it equate to indiscriminate surveillance”.
So the ISC argue that we don’t have "blanket surveillance" we only have “non-indiscriminate bulk interception”. What is the difference between the two?
In this blog I explain why the ISC thinks there has not been a breach of Article 8 of the Human Rights Act whereas most privacy activists think there is a breach. I also show that the ISC have ignored the obvious solution which is to apply the Data Protection Principles to the processing of personal data for the national security purpose.
Hopefully, this blog will also clarify the core issues and aid a public debate about what to do with the Snowden revelations.
Why bulk personal data are collected?
It is very easy to understand why bulk data are collected. Suppose there is a young woman who flies out of the UK in order to become a “jihadi bride” and suppose further this woman has a Facebook account and 100 Facebook friends.
Should these friends be “of interest” to those who investigate such matters? Almost invariably the answer will be “yes”. It is this kind of data that form part of the “investigative tool” as described in the ISC report.
Now, should “friends of friends” become “of interest” to the authorities? It could be that one of the woman’s 100 Facebook friends is acting as a “go between” for the young woman who flies out, and a contact who is grooming her. If you accept this proposition, and suppose each of the woman’s friends have their own 100 friends, it follows that there are 10,000 individuals “of interest” from just one contact and a single Facebook account.
The press often report the fact that there are 500 UK individuals out in Syria already: 500 times 10,000 is 5 million. Indeed, if you expand a single contact to include “friends of friends of friends”, then you have 1,000,000 contacts from just one Facebook account!
It is this kind of data that becomes the “intelligence tool” as described by the ISC report and accounts for the comment that “such data collection does not equate to blanket surveillance, nor does it equate to indiscriminate surveillance”.
Of course, my back of an envelope calculation contains a load of assumptions; however its purpose is merely to demonstrate that the numbers of persons who may be “of interest” gets astronomically large very quickly. As a result the volumes of data involved can be immense.
In these circumstances, I am unconvinced by the ISC’s argument that “bulk data interception” is very different to “blanket surveillance” etc. This is because there are databases that contain millions of records where the connection that justifies the collection of personal data (e.g. about you) could be remote (e.g. you are a "friend" of a "friend" who has a dodgy "friend").
No role for the Data Protection Act
There is nothing in the ISC report about the Data Protection Act (DPA) or the national security exemption. The only real mention of the DPA is by the Head of the Intelligence who, in his (unpublished) evidence stated that his powers under the Intelligence Services Act 1994 were constrained by the DPA:
“… the Intelligence Services Act is not the only Act that we comply with; it gives us our basic powers, the powers to obtain information and powers to share information through our statutory gateways. And then there are a whole series of legal controls on what we do, around the right to privacy, the Human Rights Act 1998, the Data Protection Act 1998, the RIPA 2000, and so on”.(Quoted in the ISC Report)
This kind of statement about the DPA is not only factually incorrect, it is complete rubbish. There are very few “legal controls” in the DPA as the ICO’s written evidence makes clear:
“The Data Protection Act provides only limited reassurance as a wide ranging exemption from its provisions can in any case be relied on where safeguarding national security is concerned”.
Some data protection issue need attention
Although the ISC report ignores the DPA, it does expose some data protection type-issues that appear to need urgent attention. For instance:
“The Agencies each have a review panel, chaired by a senior official, which meets every six months to review the Bulk Personal Datasets currently held by the Agency". Comment: there appears to be no clear retention schedule for personal data in the context of a data subject; decisions on retention appear to be made on the basis of the date of collection of the data and not whether it is “necessary” to retain the personal data about a data subject.
Another date-related retention policy is mentioned in footnote 99 which states “GCHQ’s standard policy is to retain the content of selected communications for *** and the Related Communications Data for up to ***. However, in some circumstances (such as voice communications where a transcript has been produced from the recording the content or RCD may be held for up to ***”. Comment: there again, personal data are not kept on the basis of “no longer than are necessary” but rather on the date of their collection.
“Whereas the Agencies’ capabilities to intercept communications and acquire Communications Data are regulated by RIPA, the rules governing the use of Bulk Personal Datasets are not defined in legislation”. Comment: this statement from the ISC is incorrect as the required rules are defined by the Data Protection Principles; as the processing is covered by National Security Certificates these statutory Principles are exempt. (That is why the ISC should have considered the DPA).
“The Agencies have told the Committee that the acquisition and use of Bulk Personal Datasets is tightly controlled, and that the HRA ‘triple test’ (i.e. for a lawful purpose, necessary and proportionate) is considered both at the point of acquisition, and also before any specific searches are conducted against the data (which is when they consider the principal intrusion into an individual’s privacy to occur).” Translation: this is confirmation that Agencies don’t consider data protection issues because they are exempt unless they are directly linked to Article 8.
"Agencies may share Bulk Personal Datasets between them where they consider this to be lawful, necessary and proportionate". Comment: there is no mention of any formal data sharing agreement which could contain procedures or detail that could serve to reassure the public that disclosures occur properly (see next section).
National Security Certificates and Section 28
In a previous blog, I explained that some old National Security Certificates were in the public domain (see references for a copy) and that they excluded the Second and Eighth Data Protection Principles. Because the ISC did not refer to the DPA, there is no mention of the Section 28 exemption in the DPA. Although the ISC looked at the warranting and authorisation arrangements under RIPA, it did not consider the issuing of National Security Certificates issued under the DPA.
As I can find no other National Security Certificate in the public domain, one has to assume that any replacement Certificate contains the same broad level of exemption. The Second Principle exemption, for instance, could suggest that, in the extreme, the national security agencies want to disclose bulk personal data (or personal data about a single data subject) for purposes that are incompatible with the national security purpose.
The Eighth Principle exemption, in the extreme, suggests the national security agencies want to transfer such personal data to any country without regard for the adequacy of the protection afforded by that country.
The ISC report contains nothing to reassure the public on the above issues. It does explore data sharing between foreign National Security Agencies for national security purposes; however these are circumstances where any transfer is for a compatible purpose and in the substantial public interest (i.e. circumstances when any disclosure/transfer complies with the requirements of the Second and Eighth Principles).
In short, the ISC failure to analyse any aspect of the DPA weakens the value of its report and could serve to undermine its conclusions.
"Blanket" versus "bulk": a different view point
The different viewpoints of “blanket surveillance” versus “bulk interception” is made clear at paragraphs 91 and 93 of the ISC report:
“However, four of the privacy campaigners who gave evidence to this Inquiry – Big Brother Watch, JUSTICE, Liberty and Rights Watch UK – told the Committee that they objected to the principle of collecting internet communications in bulk” (para 91).
“We recognise their concerns as to the intrusive nature of bulk collection. However, without some form of bulk collection the Agencies would not be able to discover threats” (para 93).
In summary, the ISC finds that “bulk data” collection is justifiable as these bulk data are then subjected to “targeting and filtering” to reduce volumes. It is by applying “levels of filtering and selection” that “only a very tiny percentage of those collected are ever seen by human eyes”.
Hence, in the ISC view, the main privacy issues arise not from the collection of the bulk data by interception, but from the subsequent use or disclosure of the records. As these records have been filtered down to perhaps a hard core of suspects, it follows that there is little interference to the vast number of individuals who are excluded by the “filtering and selection” process.
In other words, most of the data collected relate to an “innocent” population connected in some way to someone of interest. If such data are “filtered and selected”, then they are excluded from the analysis and no consequential detriment is caused. If however, an individual is selected as being of further interest, then any subsequent use and disclosure is likely to be justified.
By contrast, the privacy lobby argue that the mere collection of personal data on this scale breaches Article 8 and this stance has been vindicated by the European Court of Human Rights. For example, in S v Marper (DNA database) 17 judges of the European Court of Human Rights agreed that (at para 67): “The mere storing of data relating to the private life of an individual amounts to an interference within the meaning of Article 8”.
This contrasts when the House of Lords considered Marper, the Court issued an unanimous judgement which supported the view being proposed by the ISC. In his judgment, Lord Steyn in House of Lords said: “Looking at the matter in the round I incline to the view that in respect of retained fingerprints and samples article 8(1) is not engaged. If I am wrong in this view, I would say any interference is very modest indeed” (S v Marper).
The divergence of views can now be reduced to two propositions:
the ISC’s view is that the mass collection and retention is a minor issue; subsequent filtering and selection limits the further use and disclosure and minimises the consequent privacy risks. (I add that if this argument prevails, the exemptions from the Second and Eighth Principles, as explained above, are a justifiable concern).
the privacy activists interviewed by the ISC argue that the collection and retention is a major issue; if you don’t collect personal data in the first place then there can be no subsequent use and disclosure that is detrimental to privacy (and one would not need the exemptions from the Second and Eighth Principles, I hasten to add).
The divergence above is what the public debate should be all about. Where is the line to be drawn?
If you look at the ISC report in the round, most of the issues it raises revolves around the mass collection, use, retention, disclosure or access to personal data. In other words, the dilemmas raised by the ISC are the dilemmas that the data protection principles are designed to resolve. These principles have been around for over three decades; their application has passed the test of time and they work.
This fact alone serves to make the ISC omission of the DPA even more remarkable; the ISC has not even bothered to argue that the exemption from the DPA is justified.
The role of the principles is to balance the interests of data subjects and data controllers in the controversial areas of personal data collection, use, disclosure and retention. If the police and their sensitive criminal intelligence systems on serious crime can embrace these principles; there is no rational reason to say that the national security agencies cannot do likewise.
Indeed, those National Security Certificates with unexplained broad exemptions do the national security agencies no favours.
The agencies should find a way to embrace the Data Protection Principles as exempting them merely allows suspicions to grow and public trust to be lost.
ISC Press statement, report and evidence accessible from: http://isc.independent.gov.uk/
The ICO and my evidence on the DPA and the national security functions can be obtained from http://isc.independent.gov.uk/public-evidence (date posted is 12 March 2015)
Should national security certificates exclude the Data Protection Principles? (Analysis and some old Certificates provided): http://amberhawk.typepad.com/amberhawk/2014/02/should-national-security-certificates-exclude-the-data-protection-principles.html
Case of S. and Marper v. The United Kingdom, (Applications nos. 30562/04 and 30566/04; judgement delivered 4 December 2008); Regina v. Chief , Constable of South Yorkshire Police (Respondent) ex parte LS and Marper  UKHL 39, judgment delivered 22 July 2004